Enhanced Due Diligence: Meaning, Process, and Best Practices Enhanced due diligence (EDD) is a heightened investigation process applied to customers and transactions that present an elevated risk of money laundering, terrorist financing, or other financial crime. The stakes are real: the UNODC estimates money laundering at 2–5% of global GDP, or up to $2 trillion annually — and regulators are increasingly focused on whether institutions are actually executing their EDD obligations, not just documenting them on paper.

For compliance officers, BSA Officers, MLROs, CAMLOs, and founders at fintechs, crypto firms, banks, and money transmitters across the US, UK, and Canada, EDD is both a regulatory requirement and a practical risk management tool. Yet it's frequently treated as a one-time onboarding checklist rather than the ongoing, structured process regulators expect.

This article covers what EDD means, how it differs from standard CDD, how to execute it step by step, what triggers it, and what best practices look like in practice.

TL;DR

  • EDD goes beyond standard KYC: it verifies source of funds, beneficial ownership, and ongoing transaction behavior for high-risk customers
  • It's triggered by specific risk factors: PEPs, high-risk jurisdictions, complex ownership structures, and unusual transaction patterns
  • EDD is a continuous process — risk profiles must be monitored and reassessed throughout the customer relationship
  • Requirements are embedded in BSA/AML (US), FATF Recommendations, FCA guidance (UK), and FINTRAC rules (Canada)
  • Having an EDD policy isn't enough — poor execution still exposes institutions to significant fines and enforcement action

What Is Enhanced Due Diligence?

EDD is a deeper, more rigorous level of customer background investigation applied when a customer's risk profile exceeds what standard KYC can adequately address. It goes beyond identity verification to build a full picture of who the customer is, where their money comes from, and whether the relationship presents an acceptable level of risk.

What EDD is designed to establish:

  • Verified source of funds and source of wealth
  • Ultimate beneficial ownership, including through layered corporate structures
  • The purpose and expected nature of the business relationship
  • Red flags that standard CDD would miss — adverse media, sanctions exposure, inconsistent financial profiles

How EDD Differs from CDD

Customer due diligence (CDD) is the baseline KYC process applied to all customers under frameworks like FATF Recommendation 10 and FinCEN's CDD Final Rule (effective May 11, 2018). It covers identity verification, beneficial ownership identification, and ongoing monitoring at a standard level.

EDD escalates that baseline when a customer's risk profile crosses a defined threshold. It adds intensity, additional documentation requirements, and more frequent review — applied on top of CDD, not instead of it.

How the EDD Process Works

EDD is a structured, recurring cycle. It begins at onboarding and continues throughout the customer relationship through monitoring, periodic review, and dynamic reassessment as new information emerges.

The process draws on multiple inputs:

  • Initial risk classification
  • Identity and ownership documentation
  • Source of funds and wealth evidence
  • Sanctions and adverse media screening results
  • Ongoing transaction behavior

Step 1: Conduct an Initial Risk Assessment

Every EDD engagement starts with classifying the customer against a documented risk-scoring framework. This means evaluating geographic location, industry type, transaction behavior, and ownership structure to determine whether EDD is warranted — and at what intensity.

The classification must be documented with a clear rationale. "We decided this was high risk" is not sufficient. Regulators want to see the specific factors that drove the determination and how they map to your institution's risk appetite.

Step 2: Perform Enhanced Identity and Beneficial Ownership Verification

Standard CDD identifies beneficial owners. EDD verifies them by going beyond surface-level registration records to cross-reference corporate structures through official registries, independent databases, and direct documentation requests.

Where scrutiny is required:

  • Nominee directors who may obscure the true controller
  • Multi-layered shareholding structures designed to create distance between the customer and underlying ownership
  • Jurisdictions where corporate registration requirements are minimal or opaque

The goal is to establish who ultimately controls and benefits from the entity — not just who is listed on the paperwork.

Step 3: Verify Source of Funds and Source of Wealth

These are two distinct concepts that both require documentary evidence:

Concept What It Means Evidence Examples
Source of Funds Origin of money in a specific transaction Bank statements, wire transfer records
Source of Wealth How the customer accumulated their overall financial position Tax records, business ownership documents, inheritance paperwork, financial statements

Discrepancies between claimed and verifiable wealth must be fully resolved before the relationship proceeds. Collecting documents is not enough — institutions need to scrutinize them and document what they found.

Step 4: Conduct Adverse Media and Sanctions Screening

This step screens the customer and their beneficial owners against:

  • Global sanctions lists (OFAC SDN, HMT, UN)
  • PEP databases
  • Adverse media sources covering financial crime, corruption, and regulatory action

Screening cannot be a one-time event. It must be repeated at defined intervals and triggered by material changes in the customer's profile. Escalation protocols for confirmed hits should be documented in your procedures before a hit occurs — reactive improvisation is a common compliance failure point.

Step 5: Establish an Ongoing Monitoring and Review Plan

The ongoing monitoring plan determines how the relationship is managed after onboarding. Institutions must:

  • Set transaction monitoring thresholds calibrated to each high-risk customer's expected behavior pattern
  • Schedule periodic risk profile reviews — typically every 6–12 months for high-risk relationships
  • Build a process for escalating EDD intensity dynamically when new risk information emerges

A static EDD completed at onboarding and never revisited is one of the most commonly cited failure patterns in regulatory enforcement actions.

5-step enhanced due diligence process flow from risk assessment to ongoing monitoring

When EDD Is Required: Key Triggers and High-Risk Scenarios

Regulatory Mandates

EDD obligations arise across all major frameworks:

  • US: FinCEN's CDD Final Rule (31 CFR 1010.230) for beneficial ownership; Section 312 of the USA PATRIOT Act (31 CFR 1010.610(c)) mandates EDD for correspondent accounts with certain foreign financial institutions
  • FATF: Recommendations 10, 12, and 13 cover baseline CDD, PEP EDD, and correspondent banking EDD
  • EU: 4AMLD (Directive 2015/849) Articles 18–20, as amended by 5AMLD, establishes EDD requirements for high-risk third countries, PEPs, and complex transactions
  • UK: Money Laundering Regulations 33–35 and JMLSG Chapter 5 govern higher-risk EDD, PEPs, and correspondent relationships
  • Canada: PCMLTFA and FINTRAC guidance on enhanced measures and ongoing monitoring for high-risk clients

EDD regulatory framework comparison across US FATF EU UK and Canada jurisdictions

High-Risk Customer Profiles That Trigger EDD

Politically exposed persons (PEPs). FATF defines a PEP as someone who is or has been entrusted with a prominent public function. Under FATF Recommendation 12, foreign PEPs require senior management approval, documented source of wealth and funds, and enhanced ongoing monitoring. Example: a bank onboarding a senior foreign government official must clear all three before opening the account.

Customers from high-risk jurisdictions. As of FATF's February 2026 update, DPRK, Iran, and Myanmar are on the black list (subject to a call for action), while the grey list includes Algeria, Bulgaria, Lebanon, Venezuela, Vietnam, and 17 other jurisdictions. Transactions involving these countries are automatic EDD triggers.

Complex or opaque ownership structures. FATF and the Egmont Group's beneficial ownership research, drawing on over 100 case studies across 34 jurisdictions, identifies anonymous shell companies as one of the most widely used methods for laundering proceeds of crime. Nominee directors and multi-layered corporate arrangements require particular scrutiny.

The following industries carry elevated ML/TF risk and warrant EDD by default:

  • Gambling and gaming operators
  • Cryptocurrency exchanges and wallet providers
  • Arms dealers and defense contractors
  • Cash-intensive businesses (retail, restaurants, parking)
  • Money services businesses (MSBs) and currency exchanges

These sectors combine high transaction volumes, limited transparency, or regulatory complexity — factors that increase exposure regardless of individual customer behavior.

Transaction-Level Triggers

Customer risk profiles aren't static. Specific transaction behaviors can escalate a previously lower-risk customer into EDD territory:

  • Large or unexplained cash transactions inconsistent with stated business activity
  • Sudden spikes in transaction volume without a clear business explanation
  • Cross-border transactions involving grey- or black-listed jurisdictions
  • Cryptocurrency activity suggesting layering (for example, rapid small transactions fanned out to multiple wallet addresses)

EDD trigger categories infographic covering customer transaction and event-driven risk indicators

Event-Driven Reassessment

EDD is not only an onboarding decision. Mid-relationship triggers include:

  • New adverse media hits or sanctions designations
  • SAR filings related to the customer
  • Changes in beneficial ownership
  • Shifts in the customer's business model or transaction profile

Institutions must have processes to identify and act on these signals dynamically — waiting for the next scheduled review is not acceptable.

The Cost of Getting It Wrong

FinCEN's $390 million enforcement action against Capital One (January 2021) illustrates what happens when EDD is not applied to clearly high-risk customer segments. The violations included willful failure to maintain an effective AML program and failure to file thousands of SARs for customers ranked as the highest-risk in the business unit.

In the UK, the FCA fined Guaranty Trust Bank £7.67 million in 2023 specifically for inadequate EDD on higher-risk customers, including failures to establish source of funds and source of wealth. Barclays Bank received a £39.3 million FCA fine in July 2025 for failing to apply appropriate CDD and EDD — and for not updating risk ratings as the customer's risk profile changed.

Having an EDD policy on paper is not sufficient. Regulators examine whether staff are trained, reviews are documented, and escalation paths are actually used — not just whether a policy exists.

EDD Best Practices for Compliance Teams

Adopt a Documented, Risk-Based Approach

EDD intensity should be calibrated to actual risk — not applied uniformly across all high-risk customers. A tiered risk-scoring methodology should define:

  • How risk levels are assigned and documented
  • What documentation thresholds apply at each tier
  • How and when risk levels are escalated or downgraded

Avoid two failure modes: over-screening low-risk customers (which wastes resources and creates friction) and under-screening genuinely high-risk ones (which creates regulatory exposure). FATF, FinCEN, and FCA frameworks all treat a risk-based approach as a regulatory requirement — not an operational preference.

Require Senior Management Sign-Off for the Highest-Risk Relationships

For PEPs, customers from sanctioned jurisdictions, or entities with significant ownership opacity, documented approval from a senior compliance officer or board-level representative is required before onboarding or continuing the relationship. This is an explicit requirement under FATF Recommendation 12 and is reflected in FCA and FINTRAC guidance.

For institutions without an in-house CCO, this creates a practical gap. Fraxtional's fractional compliance officers — covering CCO, BSA Officer, CAMLO, and MLRO roles — can be named as the official compliance lead in regulatory filings and client-facing documentation. This gives regulators the senior management accountability they expect, without a full-time executive hire.

Maintain Complete, Auditable Documentation

Every EDD decision must be documented in a way that could withstand regulatory scrutiny — not just that checks were performed, but:

  • What was found
  • How discrepancies were resolved
  • What risk judgment was made and by whom

FINTRAC's CAD $9.185 million penalty against TD Bank in 2024 cited failures to assess and document ML/TF risks and to keep records of measures taken during ongoing monitoring. Documentation gaps are one of the most common causes of enforcement action even when the underlying checks were conducted.

EDD documentation requirements checklist showing required records evidence and audit trail elements

Build Clear Escalation Protocols and Staff Training

Compliance and front-line staff need to know how to:

  • Identify EDD triggers at onboarding and during the relationship
  • Gather and verify required documentation
  • Escalate findings through defined channels with appropriate urgency

The FCA's GT Bank final notice identified weaknesses not just in policy design but in staff execution — a reminder that EDD programs fail at the operational level, not just on paper. FINTRAC guidance also requires that compliance programs include ongoing training as a documented component.

For fintech startups, crypto firms, and growing financial institutions that haven't yet built out senior compliance leadership, meeting these operational requirements can be difficult. Fraxtional's fractional compliance directors bring hands-on BSA/AML, FATF, FCA, and FINTRAC experience to these teams — including directors who have held named compliance roles at institutions examined by the OCC, FDIC, and NCUA.

Common EDD Mistakes and Misconceptions

Treating EDD as a One-Time Onboarding Task

Completing EDD at account opening and filing it away is one of the most prevalent and costly mistakes. Regulators expect active, continuous monitoring and periodic risk profile reassessment. As customer activity and business structures change, EDD files that aren't updated become a liability rather than a safeguard.

Confusing Document Collection with Document Verification

Many organizations collect the required documents but fail to verify their authenticity, investigate discrepancies, or document the verification process itself. The FCA's GT Bank enforcement action cited exactly this failure: collecting source of funds documentation without actually establishing and verifying it. Regulators look for evidence that documentation was scrutinized, not merely gathered.

Applying EDD Inconsistently Due to an Absent Risk Framework

Without a documented, applied risk-scoring model, EDD decisions become subjective. The FCA's Barclays final notice identified failures to update risk ratings and apply EDD after risk indicators changed — a direct consequence of an inconsistent framework. A risk-based approach requires formal methodology, not ad hoc judgment calls.

Frequently Asked Questions

What is enhanced due diligence?

EDD is a more rigorous level of customer background investigation applied to high-risk relationships. It goes beyond standard KYC to verify source of funds, beneficial ownership, and ongoing transaction behavior — building a full risk picture rather than confirming basic identity.

What is the difference between CDD and EDD?

CDD is the standard Know Your Customer process applied to all customers. EDD is an escalated version triggered when a customer's risk profile exceeds what standard CDD can address. It adds depth, additional documentation requirements, senior management involvement, and more frequent monitoring.

What is an example of enhanced due diligence?

A bank onboarding a senior foreign government official (PEP) would require detailed source of wealth documentation, enhanced transaction monitoring thresholds, periodic review at defined intervals, and documented senior management sign-off before the account is opened.

When should EDD be applied?

EDD applies to PEPs, customers from FATF grey- or black-listed jurisdictions, entities with complex ownership structures, and any case where standard CDD leaves unresolved red flags. It can also be triggered mid-relationship by adverse information, SAR filings, or ownership changes.

What documents are required for EDD?

Typical EDD documentation includes enhanced identity documents, source of funds and wealth evidence (financial statements, tax returns, ownership records), corporate registration and beneficial ownership filings, and adverse media and sanctions screening records.

What happens if a financial institution fails to conduct EDD?

Failure to implement EDD can result in significant regulatory fines, enforcement actions, and mandatory remediation programs. Regulators across the US, UK, and Canada have levied hundreds of millions of dollars in penalties against institutions with inadequate EDD programs — and the standard is execution, not just policy documentation.